Cisco ASA NAT Outside Addresses Unreachable via Upstream OSPF Router
When a Cisco ASA performs NAT and maps internal hosts to outside addresses, upstream OSPF routers (e.g., Juniper MX5) have no routing information for that outside address space because the ASA does not natively redistribute NAT pools into OSPF. The resolution is to add a static route on the upstream router pointing the NAT outside subnet toward the ASA's upstream interface, then optionally redistribute that static route into OSPF or BGP so it propagates to other peers.
Indicators
- Upstream OSPF router (e.g., Juniper MX5) has no route to the NAT outside address space
- Traffic destined for NAT outside addresses is dropped or unroutable at the upstream device
- NAT translations on the ASA are correctly configured but outside addresses are unreachable from OSPF peers
- BGP peers cannot reach internally NAT'd hosts via the expected outside addresses
- OSPF routing table on the upstream device does not contain the NAT outside subnet
- Pings or traceroutes to the NAT outside address fail from upstream routers
Likely causes
- The ASA does not natively redistribute NAT outside address pools into OSPF
- The NAT outside address space is not statically routed toward the ASA on the upstream device
- OSPF is not configured on the ASA to advertise the NAT outside network
- No redistribution or export policy exists to inject the NAT pool into the OSPF domain
- The NAT outside subnet is only locally significant to the ASA and is never propagated upstream
Diagnostic steps
-
Verify the ASA NAT configuration: run 'show nat detail' on the ASA CLI to confirm the static NAT mapping (e.g., 10.0.0.1 <-> 134.0.15.1) is correctly defined and active.
-
Check the upstream Juniper MX5 routing table for the NAT outside subnet: run 'show route 134.0.15.0/24' (adjust prefix as needed) to confirm whether a route exists and via which next-hop.
-
Inspect the OSPF database on the Juniper MX5: run 'show ospf database' to verify whether any LSA is advertising the NAT outside address space into the OSPF domain.
-
Review the ASA OSPF configuration: run 'show ospf' and 'show run router ospf' on the ASA to identify which networks are being advertised and confirm the NAT outside subnet is absent.
-
On the Juniper MX5, configure a static route pointing the NAT outside address space toward the ASA's OSPF-facing interface IP (e.g., next-hop 10.0.1.1): 'set routing-options static route 134.0.15.0/24 next-hop 10.0.1.1'.
-
If the route must be propagated to other OSPF or BGP neighbors, create and apply a redistribution/export policy on the Juniper MX5 (e.g., 'set protocols ospf export static-to-ospf') referencing the static route.
-
Verify end-to-end reachability after the static route is in place by pinging the NAT outside address (e.g., 134.0.15.1) from the Juniper MX5 and any relevant BGP peers.
Resolution path
- Identify the NAT outside address or subnet configured on the ASA (e.g., 134.0.15.1/32 or a broader pool) using 'show nat detail'.
- Log into the upstream Juniper MX5 router.
- Add a static route on the MX5 for the NAT outside subnet with the ASA's upstream interface IP as the next-hop: 'set routing-options static route 134.0.15.0/24 next-hop 10.0.1.1'.
- Commit the configuration change on the MX5 and confirm the route appears in 'show route'.
- If the NAT outside subnet must be visible to OSPF neighbors or BGP peers, create an export policy and apply it to the relevant protocol on the MX5.
- Verify the route appears in the MX5 OSPF/BGP table as appropriate using 'show ospf database' or 'show bgp summary'.
- Confirm end-to-end reachability to the NAT outside addresses from upstream devices using ping or traceroute.
Prevention
- Document all NAT outside address pools at design time and include corresponding static routes on upstream devices from the outset.
- Maintain a network addressing plan that maps NAT pools to upstream routing entries to prevent gaps in reachability.
- Include NAT outside address advertisement as a checklist item when provisioning any new ASA NAT policy.
- Consider using routable address space that is already part of the OSPF topology to reduce the need for manual static routes.
- Implement monitoring and alerting on upstream routers to detect missing routes for all known NAT outside address pools.
Tools
- Cisco ASA CLI: 'show nat detail'
- Cisco ASA CLI: 'show run router ospf'
- Cisco ASA CLI: 'show ospf'
- Juniper JunOS CLI: 'show route <prefix>'
- Juniper JunOS CLI: 'show ospf database'
- Juniper JunOS CLI: 'set routing-options static route <prefix> next-hop <ip>'
- ping / traceroute for end-to-end reachability verification